Ransomware as a Service (RaaS) & Its Implications in 2021

2021 has witnessed a surge of ransomware attacks. Also, the attackers are targeting businesses that are critical to the public infrastructure, such as oil pipelines and international meat producers. 

Further, the demands for ransom have increased and the cost of clean-up has also doubled over the last year.

There are two major reasons for this sudden spike in ransomware attacks:

  • The exponential growth of the international cloud structure 
  • Dark web organizations like REvil and DarkSide franchise RaaS capabilities to attackers

Like SaaS, RaaS also has a flexible business approach. They allow the attackers to buy RaaS toolkits as monthly subscriptions, affiliate programs, lifetime access fees, and on a profit-sharing basis. 

With the ransomware code readily available, the talented hackers are able to plan highly sophisticated and targeted ransomware cyberattacks on multiple organizations, including citizen services, healthcare, and food. They are also targeting the supply chains, energy corporations, and transportation sector, which is alarming!

As these organizations have a limited window of acceptable downtime, they are more likely to pay ransom for getting their files back.

Let us take a look at some eye-opening stats that indicate how pernicious RaaS can be. 

Ransomware as a Service (RaaS) - Stats That Speak a Thousand Words

  • Stats report that 2 out of 3 Ransomware attacks are facilitated by RaaS setups.
  • The average cost of any ransomware attack scenario is 10 times the amount of ransom paid.
  • 2021 has witnessed a huge surge in Ransomware attacks and the attackers are targeting the regional setups as well. The vital service and infrastructure setups such as meat producers, healthcare, technology companies, food, energy, and transport - the attackers are now focusing on the backbone elements. 
  • Ransomware is projected to dominate the cybercrime landscape, as reports from Unit 42, The Crypsis Group incident response, and digital forensics firm suggest.
  • In 2020, the average ransom payment by organizations increased by 171%, to nearly US $300000.

With such crucial stakes up for global consideration, RaaS becomes a vital entity to be discussed and covered in the business security agendas for 2021. 

Because, now more and more organizations are operating on the cloud, utilizing remote resources, and they are using 3rd party security providers. 

Here, we discuss RaaS and the implications it has in 2021 at length. 

What Is Ransomware as a Service? (RaaS)

Ransomware-as-a-service (RaaS) is a subscription-based service similar to a legitimate software-as-a-service (SaaS) system. 

The attackers can buy the RaaS kits online. These kits come with the basic framework of a ransomware virus or other worms of varying lethality. The attackers have to just customize it to use in a cyberattack. 

Using the existing framework, they can also create their own malicious virus variants. 

A typical RaaS kit might include:

  • Encryption tools
  • Ransom collection
  • Communications 
  • Proven tactics and techniques to carry out the attack successfully

Ransomware basically encrypts organizational files and makes them inaccessible. Once the files are hijacked, the attackers demand ransom in exchange for a decryption key that would allow the victim organization to regain their files partially or completely. 

It is a common behavior for attackers to demand ransom more than once before relinquishing control of the victim’s data in stages.

The ransom is generally in the form of cryptocurrency, and the payment is yet again managed by a middleman that is diverted via various channels. 

The following visual offers a simple overview of the entire process:

What Is Ransomware as a Service


How Does Ransomware as a Service (RaaS) Work?

  • The ransomware developer creates a RaaS kit and gets it licensed to a ransomware affiliate.
  • This kit is purchased by an attacker and they customize it for an attack via various loopholes.
  • The victim clicks on these malicious links or visits the malicious URL, and the ransomware gets installed on his/her device or network.
  • Upon execution, ransomware:
    • Encrypts the files
    • Identifies more targets on the enterprise network
    • Modifies system or network configurations
    • Disrupts or destroys the backups
    • Covers its tracks and enforces network state to prevail
  • The victim detects the situation and gets a ransom note and makes the payment via cryptocurrency or any other untraceable channel.
  • Once the payment is received, the affiliate might or might not share the decryption key with the victim, or might ask for more money or offer only partial data in return. 

The entire process is shown in the following visual:

How Does Ransomware as a Service (RaaS) Work


Dangerous Implications of Ransomware as a Service

1) Downtime

Studies reveal that bugs, glitches, and downtime are the leading causes of customer churn. RaaS attacks increase your business downtime which affects the service accessibility for your customers as well. They are no longer able to use your products and services and tend to lose faith in your credibility and availability. 

2) Customer Confidence

76% of the customers understand that sharing personal data with companies is a necessary evil, and 84% will switch brands if they don't trust the data handling and management policies of a company. 

Now, when you fall victim to a RaaS attack, all your data becomes the property of an attacker. 

This deteriorates customers’ trust and confidence in your security policies and you lose business.

3) Compliance

As most ransomware attacks target the loopholes and security vulnerabilities in your apps and website, an attack would imply that your security system is not robust. Further, you have to incur heavy fines for violating various compliances that ask for a certain level of security from the vendors using them. 

4) Data Loss

It is highly likely that you to lose mission-critical and irreplaceable data during and after a ransomware attack. In case you don’t have any backup elsewhere, the chances of never getting your data again are extremely high.

5) Ransomware Payments

The ransom is always very high, and the attackers might even ask for ransom in stages. Apart from dealing with a fatal financial blow, ransom payment also outs your security weaknesses in front of all the stakeholders. 

Top 5 Known Ransomware as a Service Variants

Top 5 Known Ransomware as a Service Variants

1) REvil

Also known as the Sodinokibi ransomware, REvil is used by the GOLD SOUTHFIELD group which is financially motivated and distributes ransomware via exploit kits, RDP servers, backdoored software installers, etc. 

REvil offers a number of configurable capabilities, that facilitate fine-tuning the payload for an attacker, such as:

  • Exploiting the existing vulnerabilities in an enterprise system
  • Data exfiltration
  • Delete the contents of blacklisted files and folders

2) WannaCry 

WannaCry - was a worm that infected numerous computer networks in May 2017. It infected the Windows computers and encrypted the files on the hard drive of the PC, rendering them inaccessible to the user. 

The victim was asked to pay a ransom in Bitcoin to get the files decrypted. Some of its peculiarities included:

  • It attacked many high-profile systems, such as Britain's National Health Service.
  • It exploited a vulnerability that was believed to have been identified by the United States National Security Agency.
It was linked to the Lazarus Group, a cybercrime organization often linked to the North Korean government.

3) Ryuk

It was a modified version of Hermes, coming from the cybercrime group WIZARD SPIDER, and has been used multiple times for money extortion. Specifically targeting enterprise environments, Ryuk is an extremely effective and well-targeted cyberattack.

4) Thanos

First discussed in February 2020, Thanos ransomware comes with a builder that attackers can customize with a number of available settings. Thanos has been up for grabs on multiple underground forums, and this fact implies that a number of attackers must be utilizing it for ransom.

It is primarily delivered via phishing emails, such as luring financial information like invoices, tax refund details, etc. Once it is launched, the Thanos ransomware terminates multiple security processes and system utilities for easy file encryption. 


5) Petya

Discovered in 2016, Petya is a malware family that targets MS Windows systems and devices. Beginning with an infection of the master boot record, Petya executes a payload that encrypts the hard drive files and prevents booting. While used for global attacks, it primarily targeted Ukraine.

Its new version, NotPetya propagates via an exploit developed by the US NSA - EternalBlue. The variant had key modifications that make it impossible to revert the changes made during the attack. 

How to Protect Your Organization From Ransomware?

1) Backup Data

Creating a robust and regular data backup and recovery process can help you reduce the impact of a RaaS attack. You can also follow the "3-2-1" practice for data backup and recovery, that is:

  • Make 3 copies of the data
  • 2 different media
  • 1 offsite

This practice will allow you to have a recent data backup at all times, which facilitates rapid recovery from an attack with continued data integrity. 

2) Update and Patch The Entire Enterprise Software Suite

Firmware, anti-malware apps, operating systems, and security or collaboration software - always install the latest patch for anything to everything in your software suite. RaaS attacks are more versatile, more sophisticated, and more frequent now.

Keeping your software suite updated and patched allows you to be better prepared. 

3) Train Employees To Identify and Avoid Phishing Attacks

As most cyber attacks begin with phishing emails, malicious URLs, and other such activities, it is a must to educate your employees better. Train them to avoid phishing and keep the distance between personal browsing over business devices. 

Discuss and share case studies and historical scenarios for a better understanding of how lethal a single click can be!


4) Monitor All Endpoints

Endpoint security determines your strength and vulnerabilities. Once an invader is inside the system, the situation can escalate within a few minutes. Especially in modern times, when more and more organizations are working on the cloud and with 3rd party solution providers.

So, it is important to have robust perimeter security based on the Zero Trust Policy, for proactive security. Zero trust security stems from the “Trust None, Verify All” methodology and monitors as well as tracks the entire user and entity behavior on the enterprise network. 

So, you are able to secure your assets better.


5) Perform Regular Security Audits

A security audit is a comprehensive evaluation and assessment of your enterprise security system and helps uncover any hidden vulnerabilities or loopholes. Begin with a checklist of various security goals and establish the scope of the audit. Next, conduct the audit and evaluate the security issues and risks you find. 

Finally, you determine the control and corrective measures.

Doing this regularly keeps you updated on your enterprise security vulnerabilities and you are able to secure your business assets better.

Take the First Step Towards Better Security Now: Get A Security Audit With Appknox

Security audits must be thorough, and robust and discover hidden loopholes and security vulnerabilities. Hence, you must opt for a tool that offers multiple security assessments and examination techniques, like Appknox. 

Appknox offers highly comprehensive and intuitive vulnerability assessment and penetration testing, for mobile apps. You can use SAST, DAST, and API security testing to uncover any hidden vulnerabilities in your app code. Further, manual penetration tests and remediation calls allow you to discover any underlying risks to your app security.

Appknox Free Trial

Published on Sep 28, 2021
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now